It seems that as financial institutions become ever more vigilant in monitoring for suspicious activity, the criminal element just seems to find ever more inventive ways to launder money and commit financial crimes. One of the more recent tactics is to use the “dirty” money to purchase prepaid cards that can then be used or sold by or, in some cases, transferred to other parties.
As a result, the federal regulatory agencies have become concerned that financial institutions should be applying their Customer Identification Program (CIP) when they issue prepaid cards. On March 21st, the federal financial regulatory agencies issued joint guidance entitled, Interagency Guidance to Issuing Banks on Applying Customer Identification Program Requirements to Holders of Prepaid Cards, in which the agencies acknowledge that prepaid cards have become more mainstream and can be used to perform similar functions as performed through an account with the financial institution. Therefore, prepaid cards that allow the cardholder the ability to reload funds or access credit or overdraft features should be treated in the same manner as accounts for the purpose of CIP. A prepaid card that does not permit either or both of these two activities is not covered under this guidance and does not trigger the need to apply your CIP procedures. It’s also important to know that a footnote in the Guidance states that the term “prepaid card” also includes other similar devices, such as certain prepaid access products offered through a mobile phone or Internet sites that can be used to access funds.
To understand the guidelines, it is first important to address two questions: (1) which prepaid cards are covered by the guidelines, and (2) how do you determine to which party you should apply your CIP procedures.
The guidelines cover a number of different prepaid card products, which include general purpose prepaid cards that can be used at multiple, unaffiliated merchant locations and allow the cardholder to perform a variety of transactions, such as ATM withdrawals, point of sale purchases, bill payment and transferring to and/or receiving funds from other cardholders. Prepaid cards include the payroll cards used by some employers to pay employees and provide other benefits, such as pre-tax flexible spending arrangements for healthcare or dependent care expenses. The Electronic Benefit Cards (EBTs) used by government agencies to distribute benefit payments, as well as prepaid cards attached to Health Savings Accounts and other similar accounts, are also covered by this Guidance. In addition, financial institutions are not only expected to apply their CIP procedures to covered prepaid cards they issue, they are also responsible for applying those same CIP procedures to prepaid cards issued by the financial institution under an arrangement with a third-party program manager, although the actual collection of the CIP documentation may be performed by the third-party program manager.
So that brings us to the second important question, which is how to determine the correct party to whom to apply your CIP procedures in these various circumstances. The CIP rule states that the financial institution must identify the named accountholder. The Guidance provides a discussion of a variety of scenarios, but here is a quick summary of who is considered the named accountholder depending on the nature of the prepaid card.
- For general purpose prepaid cards issued by the financial institution, the cardholder should be considered the named accountholder;
- If the prepaid card is issued by a third-party program manager, but the cardholder has the ability to reload the card or has access to credit or overdraft features, the cardholder should be considered the named accountholder, even if the third-party program manager established a pooled account with your institution in which the funds are held in trust or on behalf of the cardholders;
- If the prepaid cards issued by a third-party program manager are non-reloadable prepaid cards without credit or overdraft features, then the third-party program manager in whose name the pooled account has been established should be considered as the named accountholder and the CIP procedures should be applied to the third-party program manager;
- For payroll cards, the CIP procedures should be applied against the employer who has established the payroll account at the financial institution as long as the employer is the only party that can deposit funds to the account. If individual employees are permitted to access credit through the payroll card or to reload the payroll card, the CIP procedures should then be applied to each individual employee;
- A similar analysis applies to government benefit cards (EBTs). If the government agency is the only party that can deposit funds to the account and the recipient is not provided with access to credit or overdraft services, no CIP needs to be conducted, as government agencies are exempt from the CIP rule. However, if the recipient can load non-government funds on the card or has access to credit or overdraft services, then the recipient or beneficiary must be identified using your CIP procedures.
- Health Savings Accounts are established by the employee and either the employee or the employer may contribute to the account. Your CIP procedures should be applied to the employee; and
- Flexible Spending Arrangements (FSAs) and Health Reimbursement Arrangements (HRAs) are also established by the employer and can be funded by the employee or through direct employer contributions. Because these accounts are established by the employer (or the employer’s agent), the CIP procedures should be applied to the employer only.
Lastly, the Guidance provides minimum requirements for contracts with third-party program managers that include identifying:
- The CIP obligations of the parties;
- The right of the issuing financial institution to transfer, store, or otherwise obtain immediate access to all CIP information collected by the third-party program manager on cardholders;
- The right of the issuing financial institution to audit the third-party program manager and to monitor its performance; and
- If applicable, that the relevant regulatory body has the right to examine the third-party program manager.
For more information, the complete text of the Guidance can be found here.